Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0159: Detect Remote Access via USB Hardware (TinyPilot, PiKVM)

DET0159 is a detection strategy for identifying remote access through USB-connected hardware such as TinyPilot or PiKVM, which relates to ATT&CK technique...

EnterpriseDET0159Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0159 is a detection strategy for identifying remote access through USB-connected hardware such as TinyPilot or PiKVM, which relates to ATT&CK technique T1219.003 Remote Access Hardware. The business issue is that these devices can create an interactive command-and-control path that may bypass assumptions focused only on software remote access tools. Because the ATT&CK object provides no official detection procedure, organizations should treat this as a validation prompt: can they see and investigate unexpected USB/KVM-style peripherals and related network access on Linux, macOS, and Windows systems?

Executive priority

Prioritize this where unauthorized physical access, shared facilities, labs, data centers, workstations with sensitive access, or weak peripheral governance could affect business continuity or incident containment. Leaders should ask whether asset inventories, physical security processes, endpoint telemetry, and SOC playbooks can distinguish approved remote access hardware from an unauthorized device. This also supports audit and compliance evidence around hardware control, remote access governance, and incident response readiness.

Technical view

The supplied ATT&CK relationship maps this detection strategy to T1219.003, a command-and-control technique involving legitimate remote access hardware, including IP-based KVM devices such as TinyPilot and PiKVM. SOC and IR teams should validate visibility into newly attached USB devices, keyboard/video/mouse peripheral changes, endpoint hardware inventory changes, and network activity associated with unexpected remote management devices. Because the detection strategy itself has no official detection text or platform list, technical implementation should be based on local endpoint, network, physical access, and asset-management telemetry for Linux, macOS, and Windows environments identified by the related technique.

Likely telemetry

  • Endpoint USB device connection and hardware inventory events
  • Peripheral class changes such as keyboard, mouse, video, or composite USB devices
  • Asset inventory and configuration management records for approved KVM or remote access hardware
  • Network telemetry for remote management devices or unusual IP-based KVM access paths
  • Physical access, visitor, data center, rack, or workstation-area logs where available

Detection direction

  • Baseline approved remote access hardware and KVM devices, then alert or review deviations from that inventory.
  • Correlate USB peripheral attachment events with user presence, physical access records, and network connections where telemetry exists.
  • Tune for false positives from legitimate IT administration, lab equipment, accessibility devices, docking stations, and sanctioned KVM use.
  • Validate whether endpoint tools actually retain enough USB and hardware history to support investigation after the fact.
  • Include relationship context in SOC playbooks: this is command-and-control via hardware, so software-only remote access detections may miss it.

Mitigation priorities

  • Establish and maintain an approved inventory for remote access hardware and IP-based KVM devices.
  • Apply peripheral device governance and physical security controls for systems where unauthorized USB hardware would create material risk.
  • Restrict, monitor, and document legitimate KVM or remote access hardware use through change management.
  • Ensure incident response procedures include inspection for attached hardware and alternate communications channels, not only malware or remote access software.
  • Use tabletop or control validation exercises to confirm SOC, IT, and facilities teams can coordinate when suspicious hardware is discovered.
Analyst notes and limits

This take relies on the object identity, external reference, and its relationship to T1219.003 Remote Access Hardware. The source object does not provide an official description, detection text, platforms, tactics, or labels for DET0159 itself; the technical context comes from the related ATT&CK technique, which lists command-and-control and Linux, macOS, and Windows.

Local implementation details are required. ATT&CK does not specify exact analytics, log sources, thresholds, or vendor controls for this detection strategy in the supplied fields. Detection feasibility depends on endpoint USB logging, hardware inventory quality, network monitoring, and physical access evidence.

Official MITRE ATT&CK definition

Detect Remote Access via USB Hardware (TinyPilot, PiKVM)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1219.003 Remote Access Hardware Sub-technique This object detects Remote Access Hardware.
Relationship explorer

All related ATT&CK context

detects · Technique T1219.003: Remote Access Hardware Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b373f64a23451d5c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b373f64a2345…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0159
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use